Thread: Secure Coding
View Single Post
Old 19-07-2010, 17:05   #19
Damien
Remoaner
Cable Forum Team
 
Damien's Avatar
 
Join Date: Mar 2004
Posts: 32,733
Damien has a lot of silver blingDamien has a lot of silver blingDamien has a lot of silver blingDamien has a lot of silver blingDamien has a lot of silver bling
Damien has a lot of silver blingDamien has a lot of silver blingDamien has a lot of silver blingDamien has a lot of silver blingDamien has a lot of silver blingDamien has a lot of silver blingDamien has a lot of silver blingDamien has a lot of silver blingDamien has a lot of silver blingDamien has a lot of silver blingDamien has a lot of silver blingDamien has a lot of silver blingDamien has a lot of silver bling
Re: Secure Coding
Quote:
Originally Posted by punky View Post
I didn't think about that as Raistlin was talking about web-only technologies so defaulted to ASP.NET rather than all of .NET

Which reminds me, I used ADO.NET a while ago to connect my ASP.NET app to MySQL. I wonder if they supports parameterisation? I'm guessing it does as ASP.NET does the work and not the DB engine?
Like I mentioned previously. The database does require support. This is because the Parametrised Queries are not a query which is then escaped by the ADO.Net Framework.

Instead these are queries which are passed down to the database with the tokens (@whatever) to the database. The MS SQL database does two things, that I know of, first of all it caches a query execution plan. This allows it to perform subsequent operations marginally faster as, because the query has been parametrised , the only variables to the query are those parameters which it does not need yet.

Second; it inserts the parameter values which you pass down from your application.

Try it out. Write a parametrised query from your application and 'forget' to supply a parameter. The error thrown will be from the database and not the .Net framework.
Damien is offline   Reply With Quote